Well, this plays into what we keep talking about with any cloud or internet service; time and money. You see to change the password hashing algorithm of all users a company would have to do quite a bit. It is not as simple as buy the new software, install it and you are done. Having gone through the process of changing the encryption software used for a forum once (over 40,000 members) I can very vividly remember the time it took and what we had to do with the user accounts to ensure that their accounts switched over to the new hash (mostly it involved going through and deauthorizing accounts so that when they logged back in they got were transferred over to the new hash). Although there were steps taken to automate things, it was not a smooth transition and we had multiple, multiple emails and messages asking for help… Like we said, it was expensive in terms of licensing and time spent helping out users with issues.
Now think about some of the online services out there that have more than 6 MILLION members they would have to deal with and you get the idea. It is an expensive proposition. This does not excuse them from staying with a known insecure platform, but it is the reason that most companies do not move until they have an actual breach. As long as things are fine there is no reason to spend the money required to do the job. (I had to deal with that mentality over outdated servers very often).
So to help with this the author of md5crypt() has publicly come out and warned against its continued use. I would guess that he feels that if people are aware of this issue it might force some companies to change now before they start losing users over a potential security problem. This is unlikely to work, but it is still a nice effort on his part. There is no such thing as unbreakable encryption, all algorithms and encryption formats become outdated. It is the responsibility of the companies that hold our data to ensure that they are using best practices (and update those on a continual basis) or we will continue to see things like this happen.
Unfortunately bad practices are all rolled up with keeping costs down whenever it comes to services. This is simply what you get when you sign up for “free” and inexpensive cloud based services.
Discuss this in our Forum
Saturday, 09 June 2012 11:57
Author Of Password Hashing Software md5crypt Says Stop Using It
Written by Sean KalinichReading time is around minutes.
After the breaches and issues with passwords we saw last week we were not surprised to see the creator of a popular password hashing application md5crypt() come out and recommend against using this software. Now if you have followed security then you are probably already aware that the MD5 encryption scheme was broken quite a while ago (2004-2005) and is no longer recommended as an encryption algorithm. So why in 2012 are we only getting a recommendation to stop using md5crypt() now?
Published in
Editorials
Tagged under
Latest from Sean Kalinich
- ConnectWise Slash and Grab Flaw Once Again Shows the Value of Input Validation We talk to Huntress About its Impact
- Social Manipulation as a Service – When the Bots on Twitter get their Check marks
- To Release or not to Release a PoC or OST That is the Question
- There was an Important Lesson Learned in the LockBit Takedown and it was Not About Threat Groups
- NetSPI’s Offensive Security Offering Leverages Subject Matter Experts to Enhance Pen Testing
Leave a comment
Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.